I have come across various scanarios where System Administrators have installed IIS on Domain Controllers. They do it to efffectively utilize that server hardware, to cut down cost by preventing a need for another server for IIS, some application that needs to be installed on the DC requires IIS etc.

 

Microsoft does NOT recommend IIS on a Domain Controller running Active Directory. There are 2 mains reasons behind this stand.

 

1.     By installing IIS on a DC, we will end up increasing the surface attack area on that DC, hence causing a threat to the security database of the domain. This may also effect the servers performance and reliability.

 

2.     IIS would NOT work correctly as it mainly works with local users and groups which will now become domain users /groups. This would cause permission issues if the ACLs set on different IIS folders and Metabase is not updated correctly.

 

Below are a few articles that would give you some idea of the issues faced when IIS is installed on a Domain controller.

 

DCPROMO does not retain permissions on some IIS folders
http://support.microsoft.com/default.aspx?scid=kb;EN-US;332097

 

How To Promote a Member Server Running IIS to a Domain Controller Running IIS
http://support.microsoft.com/kb/300432

 

FIX: ASP.NET does not work with the default ASPNET account on a domain controller
http://support.microsoft.com/default.aspx?scid=kb;EN-US;315158

 

Cannot install a Systems Management Server 2003 Management Point role on Windows Server 2003 domain controllers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;886213

 

Avoid installing IIS on a domain controller
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3a0742c4-f45a-4504-a232-83dd085bcfb3.mspx?mfr=true

 

Part from the above resources, I strongly recommend viewing the webcast below as it will talk in detail on why IIS is not recommended on DC. This webcast also covers the issues you may face when you install IIS on DC and how it deal with it.

 

TechNet Webcast: Successfully Running IIS on a Domain Controller - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032245355&Culture=en-US

 

To summarize, we don’t recommend installing IIS on DCs, but if you have to install it you need to be prepared to deal with issue related to IIS.

 

- Abizer